It was his first job, so Kenneth couldn't really complain. His official title was Senior System Administrator and, in his role, he was responsible for such glamorous things like setting up new desktops and cleaning spyware off the administrative assistant's PC. The people were nice, they appreciated the work he did, and the commute was fine. But whenever payday would come around, he'd be reminded that he was doing entry-level work for entry-level pay, all with a big-boy title. Not too long after he started, it was time for a change.

When Kenneth tendered his resignation, his boss was legitimately happy for him and glad that he was moving up in his career. As a parting tasked, he asked Kenneth to train John, the soon-to-be Senior System Administrator, on all of their systems. As it turned out, it was John's first job, too.

However, as Kenneth got to know John a little more, he felt less and less confident that he was the right guy for the job. The first clue came when he walked John through the accessing the self-hosted web server via FTP. "I've used FPT quite a bit," John said cheerfully, "I can use Outlook for that, right?".

After some additional "misunderstandings", Kenneth felt it was best to warn his boss and suggest that they find a better candidate, but the response was "this is an entry level job, so it's ok if the guy isn't a guru." Kenneth didn't push the issue beyond that, as it ws no longer his responsibility. Besides he was ready to put his old life a Senior System Administrator behind him. They parted ways and promised to stay in touch.

Keeping in Touch

It had been months since Kenneth had left his job, when suddenly his cell phone rang. The number looked strategly familiar: it was his old employer's. He picked up the phone.

"Kenneth?" there was a frantic voice on the other end, "hey man, I got a big problem here. I think that our entire website domain is infected with a virus!" It was John.

"Wait..." Kenneth responded, "the whole domain you say?"

"Yeah," John said "that's what the antivirus said! Oh man, we're totally screwed...I have no idea to handle something like this and—"

"Alright, let me dial in and check real quick."

Kenneth dialed in and checked the files out on the web server. Much to his surprise, there really was a virus on there called Trojan.JS.PYV doing its dirty work. The damage wasn't anything serious, as the virus simply modified all PHP files and inserted an iframe linked to malware web sites. After a quick search-and-replace, the problem was solved. But there was still one nagging question: how did the worm gain access to the files when the web server was only accessed via FTP?

Too Much Sharing

"Hey John, do you remember the username and password for the web server I gave you?" asked Kenneth, "did you ever use it?" .

"Yeah!" John replied, " We use that all the time!"

"Ummm...We who?"

-"Yeah, remember the FTP[at least he had the correct acronym now] server that you set up on our intranet? Well it didn't work if we wanted to send large files to our clients. I found out that the login you gave me for the web server also allowed us to upload FTP files that our clients could see, so that's what we're doing now." -"Wait a minute...so you're uploading private files to a publicly accessible web folder?" -"Of course not, I found this cool feature in Windows Explorer called 'network drive' that I set up for everyone in the company" -"And how do the clients get the files?" -"Oh I helped our clients set up the network drive too..."

John went on to explain that nearly everybody in the company had access to the web server through a neat feature in Windows Explorer that turned the FTP site into a giant shared network drive. At first, it was only used to store large files that would otherwise be sent via email to their clients. Also, once word spread on just how easy it was to connect to the server as a network drive, everybody used it as a catch-all for all kinds of files.

"Wait a minute," Kenneth asked, "so clients are sent a URL that links to their file, and then they downloaded it over HTTP?"

"Yeah, I tried that, but in the end, it was just too confusing for some people and in the end, I just helped our clients set up the network drive too..."

Kenneth spent the better part of an hour on the phone explaining to John why sharing the password to their web server's FTP account with your clients is not only a decidedly "bad idea" , but also the fact that keeping sales reports, payroll spreadsheets, and other private information on a shared network drive accessible not only by clients but also anyone could potentially browse through by typing http://www.initrodeglobal.com/shared-dir/ is a very dangerous proposition.

But Kenneth kept his cool. After all, John was very new and he was only the office's "Senior System Adminstrator".